b"\x0c Additional Copies\n\n To obtain additional copies of this report, visit the Inspector General of the\n Department of Defense, Home Page at www.dodig.osd.mil/audit/reports or\n contact the Secondary Reports Distribution Unit of the Audit Followup and\n Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n (703) 604-8932.\n\n Suggestions for Future Audits\n\n To suggest ideas for or to request future audits, contact the Audit Followup and\n Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                   OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                   Inspector General of the Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n Defense Hotline\n\n To report fraud, waste, or abuse, contact the Defense Hotline by calling\n (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAAA                  Army Audit Agency\nAFAA                 Air Force Audit Agency\nAICPA                American Institute of Certified Public Accountants\nDCAA                 Defense Contract Audit Agency\nDFAS                 Defense Finance and Accounting Service\nGAO                  General Accounting Office\nIG                   Inspector General\nIIA                  Institute of Internal Auditors\nNAS                  Naval Audit Service\nOMB                  Office of Management and Budget\n\x0c\x0cDISTRIBUTION:\nDirector, Defense Commissary Agency\nInternal Review Office\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nInternal Review Office\nDirector, Defense Finance and Accounting Service\nDirector, Internal Review\nDirector, Defense Logistics Agency\nDirector, Internal Review\nDirector, Missile Defense Agency\nInternal Review Office\nAuditor General, Department of the Army\nAuditor General, Department of the Navy\nAuditor General, Department of the Air Force\nInspector General, Defense Information Systems Agency\nInspector General, Defense Intelligence Agency\nInspector General, National Imagery and Mapping Agency\nInspector General, National Reconnaissance Office\nInspector General, National Security Agency\nInspector General, Special Operations Command\nChief, National Guard Bureau\nInternal Review Office\nChief of Naval Education and Training\nHeadquarters, U.S. Marine Corps Nonappropriated Fund Audit Service\nDirector, Audits Division, Army and Air Force Exchange Service\n\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2002-6-006                                                     May 6, 2002\n  (Project No. D2001-OA-0122)\n\n                 Summary of Risk Assessment Methodologies\n\n                                 Executive Summary\n\nIntroduction. This report provides the DoD audit community with information relating\nto risk assessment methodologies. The primary objective of an audit risk assessment is\nto provide its users with the assurance that audit resources are focused on those areas\nneeding greatest attention and will provide the best value to the audit client. Audit risk\nassessments happen both on an overall (macro) and on a specific project (micro) level.\nDoD audit organizations rely on the results of risk assessment to help them manage the\nDepartment-wide audit resources of approximately 6,600 auditors. These auditors\nprovide audit coverage for an organization that has an estimated annual budget of\n$329 billion in FY 2002. To accomplish their audit missions, auditors conduct risk\nassessments by following established standards, but also by developing additional\nprocedures necessary for specific projects.\n\nGovernment and professional organizations provide standards and guidance on the\nrequirements for completing risk assessments. The General Accounting Office issues\nGovernment Auditing Standards, which prescribe standards of fieldwork for both\nfinancial and performance audits and require an assessment of control risk, internal or\nmanagement controls, and adequate audit planning. The Office of Management and\nBudget provides risk assessment guidance in Circular No. A-123 \xe2\x80\x9cManagement\nAccountability and Control\xe2\x80\x9d and in Circular No. A-133 \xe2\x80\x9cAudits of States, Local\nGovernments, and Non-Profit Organizations.\xe2\x80\x9d The American Institute of Certified\nPublic Accountants Auditing Standards Board issues the Codification of Statements on\nAuditing Standards. The Statement on Auditing Standards requires adherence to the\ngenerally accepted auditing standards, which includes adequate planning and a sufficient\nunderstanding of internal controls for project planning under the Standards for Field\nWork.\n\nObjectives. The objective of the review was to identify procedures for assessing risk\nwhen conducting DoD audits and to provide the DoD audit community with a resource of\nuseful procedures. We included DoD audit activities and other government and private\naudit organization in our review.\n\nResults. DoD audit organizations consider risk assessment results in assigning the audit\nresources to the functional areas identified as high risk. DoD audit organizations also\nrespond to changing audit needs and changes in high-risk areas. The methodologies used\nby audit organizations varied from formal instructions for identifying high-risk areas to\ninformal procedures such as documenting the result of an audit planning meeting with\norganizational managers. In each case, either through formal or informal methodologies,\nthe objective was the same--to identify where audit resources can be used most\neffectively.\n\n\n\n                                             i\n\x0cSome audit organizations have also developed or used standard risk assessment\nprocedures for specific types of audits such as, information system audits, contract\naudits, and audits required under the Single Audit Act or the Chief Financial Officers\nAct. Many of these procedures are commercially available or available through the\nInternet. Other types of audits do not lend themselves to standard risk assessment\nmethodologies. However, the concepts can often be tailored to these audits as well.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                         i\n\n\nIntroduction\n     Background                                          1\n     Objectives                                          3\n\nResults\n     Risk Assessment Methodologies                       4\n\nAppendixes\n     A.   Project Process                                12\n     B.   Description of Risk Assessment Factors         13\n     C.   Risk Assessment Resources and Contact Points   14\n     D.   Example of Risk Assessment Tool                16\n     E.   Report Distribution                            17\n\x0cBackground\n    Significance of Risk Assessment Procedures in DoD Auditing. Risk\n    assessment procedures are critical to DoD audit organizations in identifying and\n    planning audit work that covers the varied and worldwide activities of the\n    Department. Risk assessment procedures within DoD audit organizations with\n    guidance provided by the General Accounting Office, the Office of Management\n    and Budget, and other organizations, help provide audit focus and allow for\n    proper planning. Risk assessments are essential to ensure that audit resources are\n    effectively and efficiently used.\n\n    The DoD annual budget for FY 2002 is approximately $329 billion. DoD is the\n    Nation\xe2\x80\x99s largest employer, with about 1.4 million active duty service members,\n    1.28 million volunteer guard and reserve members, and 672,000 civilian\n    employees. The DoD also operates the largest acquisition system generating\n    15.8 million different acquisitions valued at more than $175 billion in FY 2001.\n    The Department supports more than 600 fixed facilities worldwide including\n    250 major installations. DoD trains and equips the Armed Forces--the Army,\n    Navy, and Air Force to perform warfighting, peacekeeping and\n    humanitarian/disaster assistance tasks. Every year, DoD pays 5.5 million\n    military and civilian members by issuing more than 135 million payroll payments\n    valued at approximately $114 billion. Additionally, DoD disburses\n    approximately $150 billion annually making more than 11.1 million contractor or\n    vendor payments. This considerable activity requires an active role by the\n    Department\xe2\x80\x99s audit organizations at all levels; however, to provide the audit\n    support required for the activity, there are only about 6,600 auditors throughout\n    the Department.\n\n    The Inspector General (IG) of the Department of Defense, with 525 auditors,\n    serves as an independent and objective official in the Department of Defense who\n    is responsible for conducting, supervising, monitoring, and initiating audits.\n    Together with the Defense Contract Audit Agency (DCAA), the Army Audit\n    Agency (AAA), the Naval Audit Service (NAS), and the Air Force Audit Agency\n    (AFAA), we provide leadership and coordination and we recommend policies\n    designed to promote economy, efficiency, and effectiveness in the administration\n    of DoD programs and operations. We also seek to prevent and detect fraud and\n    abuse in these programs. In addition, various Defense agencies and local\n    commands have approximately 1,140 internal auditors to support their mission.\n\n    The DCAA with approximately 3,450 auditors is responsible for performing all\n    contract audits for the Department of Defense and for providing accounting and\n    financial advisory services regarding contracts to all DoD Components\n    responsible for procurement and contract administration. DCAA provides audit\n    cognizance for about 9,900 DoD contractors. In 2001, DCAA audited\n    8,874 pricing proposals with a total value of $123.5 billion and conducted other\n    audits valued at $94.9 billion. DCAA provided net taxpayer savings of\n    $3.2 billion.\n\n\n\n                                         1\n\x0cThe AAA, employing 541 auditors, provided audit coverage for an estimated\n$70.8 billion annual budget in FY 2001. The NAS with 259 auditors is\nresponsible for internal audit of the $83 billion program of the Navy. The AFAA\nemploying 713 auditors provides all levels of Air Force management with audit\nservices valued at approximately $71.2 billion in FY 2001. However, over the\nlast several years, DoD audit organizations have had significant reductions in\nstaff. These reductions in staff require agencies to reassess priorities and\ndetermine where they can best use their valuable resources. Procedures used to\naddress overall audit planning are referred to as macro risk assessments and they\nare designed to help audit organizations identify and reassess high-risk audit\nareas.\n\n        General Accounting Office Guidance. The General Accounting Office\n(GAO) issues Government Auditing Standards in what is commonly known as the\nYellow Book. The Yellow Book prescribes standards of fieldwork for both\nfinancial and performance audits. These standards include the assessment of\ncontrol risk and internal or management controls. These fieldwork standards\nrelate to specific audits and require assessments of functional areas such as\ncomputerized information systems, safeguarding of assets, and the compliance\nwith laws and regulations. Procedures used to address these standards are\nreferred to as micro or specific audit risk assessment procedures.\n\n        Also, since 1990, the GAO has periodically reported on government\noperations that it identifies as high-risk. In January 2001, GAO identified\nStrategic Human Capital Management and Information Security as Government-\nwide high-risk areas. GAO also identified the following six high-risk areas\nspecifically for DoD.\n\n       \xe2\x80\xa2   Systems Modernization,\n\n       \xe2\x80\xa2   Financial Management,\n\n       \xe2\x80\xa2   Infrastructure Management,\n\n       \xe2\x80\xa2   Inventory Management,\n\n       \xe2\x80\xa2   Weapon Systems Acquisition, and\n\n       \xe2\x80\xa2   Contract Management.\n\nDoD audit organizations consider these high-risk areas for macro or overall audit\nplanning and may include them as functional audit areas in an organizational audit\nor strategic plan.\n\n        Office of Management and Budget Guidance. The Office of\nManagement and Budget (OMB) provides risk assessment guidance in the\nCircular No. A-123 \xe2\x80\x9cManagement Accountability and Control\xe2\x80\x9d and in Circular\nNo. A-133 \xe2\x80\x9cAudits of States, Local Governments, and Non-Profit\nOrganizations.\xe2\x80\x9d OMB Circular A-123 requires agencies to develop strategic\nplans, set performance goals, and report annually on performance compared to\n\n                                    2\n\x0c     goals. Management controls are an integral part of the entire cycle of planning,\n     budgeting, management, accounting, and auditing. Audit organizations can use\n     these strategic plans and related management controls as a basis for audit\n     planning. Auditors then provide information to management by conducting\n     assessments of the management controls and making recommendations to assist in\n     effectively meeting the plans and goals. OMB Circular A-133 sets forth\n     standards for obtaining consistency and uniformity among Federal agencies for\n     the audits of States, local governments, and non-profit organizations expending\n     Federal awards. OMB Circular A-133 further provides audit requirements and\n     the risk-based audit approach to determine which Federal programs are major\n     programs.\n\nObjectives\n     The objective of the review was to identify procedures for assessing risk when\n     conducting DoD audits and to provide the DoD audit community with a resource\n     of useful procedures. We focused on both overall audit planning procedures and\n     specific risk assessment procedures used to address audit objectives. We included\n     DoD audit activities and other government and private audit organizations in our\n     review.\n\n\n\n\n                                         3\n\x0c                 Risk Assessment Methodologies\n                 Audit organizations, including DoD audit organizations, use different risk\n                 assessment methodologies when planning and conducting audits. These\n                 methodologies have either been self-developed or bought commercially.\n                 As a result, DoD audit organizations use a wide array of risk-based audit\n                 planning methodologies and risk assessment tools for conducting audits.\n                 There is not one method that would work for all audit activities. Instead,\n                 risk assessments must reflect the audit environment and activities audited.\n\nRisk Assessments and Audit Planning\n        The DoD audit organizations and other governmental audit organizations use\n        various formal and informal methods to assess risk during the audit planning\n        phase. We defined formal risk assessment procedures as those procedures that\n        are required by agency regulations or instructions. Informal risk procedures\n        represent those procedures that, although not required, were developed and used\n        by audit teams within the organization.\n\n        During audit planning, organizations consider several factors to help them\n        identify auditable areas. These risk-based factors make it easier for agencies to\n        identify areas needing greater audit attention. Table 1 below identifies some of\n        the more common factors used to measure risk. The table also indicates where\n        organizations use the corresponding risk factor to document the overall level of\n        risk and allocate audit resources accordingly. A brief description of each factor is\n        provided at Appendix B.\n\n                 Table 1. Risk Factors Used by DoD Audit Organizations\n\nRisk Assessment Factors                     AAA          NAS        AFAA         DCAA         DFAS          IG\n                                                                                               IR          DoD\nAudit History/Prior Coverage                   \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6          \xe2\x99\xa6             \xe2\x99\xa6\nDegree of Decentralization                                                                     \xe2\x99\xa6\nDollar Value/Resources Used                    \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6          \xe2\x99\xa6             \xe2\x99\xa6\nEmployee Competence                                                                            \xe2\x99\xa6\nEmployee Turnover/Growth                       \xe2\x99\xa6                                               \xe2\x99\xa6\nFraud, Waste & Abuse                           \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6          \xe2\x99\xa6             \xe2\x99\xa6\nInternal/Management Controls                   \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6          \xe2\x99\xa6             \xe2\x99\xa6\nMission/Goals                                  \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6                                    \xe2\x99\xa6\nOrganizational Changes                         \xe2\x99\xa6                        \xe2\x99\xa6                        \xe2\x99\xa6\nOutside Concern/Sensitivity                                             \xe2\x99\xa6                                    \xe2\x99\xa6\nPublic Law                                     \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6                        \xe2\x99\xa6\nRequested/Suggested Audits                     \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6           \xe2\x99\xa6            \xe2\x99\xa6           \xe2\x99\xa6\nKEY: AAA \xe2\x80\x93 Army Audit Agency, NAS \xe2\x80\x93 Naval Audit Service, AFAA \xe2\x80\x93 Air Force Audit Agency, DCAA \xe2\x80\x93 Defense Contract\nAudit Agency, DFAS-IR \xe2\x80\x93 Defense Finance and Accounting Service-Internal Review; IG DoD \xe2\x80\x93 Inspector General of the\nDepartment of Defense, Assistant IG for Auditing\n\n\n\n                                                        4\n\x0cDocumentation indicated that the risk assessment factors are frequently used;\nhowever, where we did not indicate use by a specific organization does not mean\nthe organization does not consider these factors. The purpose of the table is to\nillustrate that macro risk assessment procedures are varied and should be designed\nto meet the needs of the audit organization. Certainly, many more factors exist\nthat can affect an organization\xe2\x80\x99s audit resources. Audit organizations can use\nthese commonly known factors, but they must also anticipate future events to\nproperly plan for high-risk audit issues. It is important for an audit organization\nto have established macro risk assessment procedures to assist them in allocating\naudit resources. The following discussion provides information and examples\nabout risk assessment methodologies used by audit organizations.\n\n        Army Audit Agency. The AAA assesses risks and reviews internal\ncontrols as part of most audit projects. Risk assessment methods are usually\nincorporated into the overall audit planning function. AAA uses many informal\nrisk assessment methods to identify high-risk audit areas. For example, AAA\nmanagers would consider a significant reduction in staffing in a particular area as\na high-risk indicator and plan audit coverage accordingly. The AAA relies on its\nsenior audit managers to assess functional areas and determine the high-risk areas\nneeding audit coverage. Therefore, AAA managers rate known risk factors\nassociated with particular issues to accomplish macro audit planning.\n\n        Naval Audit Service. The NAS has also used various risk assessment\nmethods and selected risk factors to help develop an overall audit plan. Recently,\nthe NAS has reorganized its functional audit areas and is currently working to\ndevelop a framework for determining the allocation of audit resources to the\nhighest risk areas. The NAS has contracted with KPMG, LLP to conduct a\nmacro risk assessment project. The risk assessment project will identify and\nprioritize auditable entities within the Navy.\n\n        Air Force Audit Agency. The AFAA has developed and incorporated\nformal audit risk assessment procedures into their audit instructions. The\ninstructions include planning documents with risk criteria sections used in\nplanning audit projects. The planning document outlines the procedures to be\nfollowed that would rate the audit risk by assigning a score to critical factors.\nSome critical factors rated by AFAA include dollar value or resources used, the\neffectiveness of internal or management controls, audits suggested or requested\nby management, the level of concern or sensitivity outside the organization,\naudits required by public law, and recent significant organizational changes.\nAFAA uses this formal audit planning document and risk assessment to help\ndetermine their audit plan.\n\n        Defense Contract Audit Agency. The Defense Contract Audit Agency\n(DCAA) uses a formal risk assessment method to rank and determine programs\nrequiring audit coverage. DCAA has developed and established many risk\nassessment worksheets for use during audit planning. The worksheets were\ndeveloped to assess risk and document the results relating to a specific type of\nDCAA audit. The worksheets were also designed to address the risk assessment\nrequirements outlined in the DCAA Contract Audit Manual. For example, at\n\n\n\n                                     5\n\x0cmajor contractors, those with more than $80 million in auditable costs, DCAA\nuses separate audit assignments to review and evaluate each significant contractor\naccounting and management system and their related controls. The resulting\ncontrol risk assessments are documented using the DCAA Internal Controls Audit\nPlanning Summary process, which provides a summary of control risk\nassessments on the 10 major business areas. Other auditors can use the Internal\nControls Audit Planning Summary process to understand the level of risk\nassociated with the contractor\xe2\x80\x99s accounting and management systems as it relates\nto the individual audit assignments they are working on. DCAA auditors use the\ninformation obtained and the risk assessed to determine the extent of transaction\ntesting.\n\n        In an effort to address its audit backlog with decreased staff levels, DCAA\ndeveloped a sampling initiative for audits of incurred cost contracts with an\nannual maximum dollar volume of $10 million. DCAA believed that the backlog\nof incurred cost audits represented a significant risk to the organization\xe2\x80\x99s mission,\nso they developed an audit-sampling plan to help reduce this risk. DCAA\nanalyzes the contractor to determine questioned costs, audit leads, risk identified\nby the contracting officer, and audit experience with the contractor. If the\nanalysis determines that none of these factors are currently present at the\ncontractor, the contractor is rated as low risk and will be audited in a 3-year\ncycle. However, if these factors are present, the contractor will receive a high-\nrisk rating and will be audited yearly.\n\n       Although the risk assessment procedures used by DCAA are specific to\nthe types of audits they conduct, they provide good examples of how audit\norganizations would benefit from developing and establishing guides or pro-forma\ndocuments to help ensure that risk factors are adequately assessed.\n\n        Defense Finance and Accounting Service (DFAS) Internal Review.\nDFAS Internal Review uses a formalized risk assessment method in selecting\nareas for inclusion in their audit plan. The assessment is designed to measure the\noverall risk of one functional area as it relates to other functional areas. The risk\nfactors in the assessment methodology include: performance achievement,\nfinancial perspective, personnel issues, system problems, and control\nenvironment. Based on the assessment, functional areas are categorized as high,\nmoderate, or low risk. The rating represents the criticality or impact of the\nfunctional unit to the overall DFAS mission.\n\n        Inspector General of the Department of Defense, Assistant Inspector\nGeneral for Auditing. The IG DoD plans audits and evaluations based on\nplanning research efforts and audits required by law or requested by the\nCongress. Audit planning must respond to management needs and provide\nbalanced coverage for the Department. Therefore, the IG DoD relies on its\nsenior managers to ensure that a sufficient level of research is conducted within\ntheir assigned functional area to identify audit needs. Senior managers should:\n\n         \xe2\x80\xa2    maintain an inventory of significant auditable entities for their\n             functional area,\n\n         \xe2\x80\xa2   coordinate with applicable DoD-wide planning groups,\n\n\n                                      6\n\x0c         \xe2\x80\xa2    coordinate with DoD managers to obtain their ideas and priorities,\n             and\n\n         \xe2\x80\xa2   coordinate with GAO counterparts.\n\n        Where law, regulation, or congressional direction does not mandate the\naudit topics, the IG develops its audit plan relying on risk assessment results and\nin consultation with DoD managers when possible. The projects are coordinated\nin the joint audit planning groups that address coverage in each major functional\narea. The functional areas included Acquisition Management, Contract\nManagement, Finance and Accounting, and Readiness and Logistics Support.\nTable 2 provides an overview of IG DoD audit workload by source for FYs 1998\nthrough 2001. Table 2 indicates that 23 percent of our workload is self-generated\nbased on risk assessments. With only about 23 percent of our audit staff\nresources available, we must use risk assessment procedures to identify those\nprojects having the highest risk in order to ensure that we are providing effective\naudit coverage to areas not already mandated.\n\n   Table 2. Inspector General of the Department of Defense, Audit\n                Reports by Source FY 1998-FY 2002\n\n\n\n                                               40%\n                 32%\n\n\n\n                                                   5%\n                                   23%\n\n\n\n                       44 Hotline Reports\n                       203 Risk Assessment Reports\n                       277 Management Request Reports\n                       346 Congressional Reports\n\n\n        In an effort to keep the Congress informed of issues affecting the\nDepartment, the IG DoD identifies and periodically reports the DoD top 10\nmanagement challenges. Inspectors General at other executive departments also\ngather similar information for the Congress and senior management. These\nhigh-risk areas are then also used as a basis for assigning audit resources. The\nIG DoD reported these issues in its semiannual report, which is available at\nwww.dodig.osd.mil.\n\n       Other Audit Organizations. The State of Ohio Auditor\xe2\x80\x99s Office relies on\nstandard audit steps to assess risk and generally performs audits based on\nrequirements such as OMB Circular A-133 or other statutory requirements.\nTherefore, the State of Ohio Auditor's Office has found it useful to develop and\n\n\n\n                                         7\n\x0c           establish questionnaires and standard forms for use by its auditors to assess risk\n           and determine audit coverage. Many of the tools used by the State of Ohio\n           Auditor\xe2\x80\x99s Office are available via the Internet. The Inspector General,\n\n           Department of Health and Human Services, Office of Audit Services also has\n           standard working paper forms that specifically address risk analysis. The Office\n           of Audit Services at the Department of Health and Human Services makes their\n           standard working papers available through the Internet.\n\n                   Commercially Available Risk Assessment Programs. In recent years\n           there has been an increase in the number of software programs developed to assist\n           audit organizations in assessing risk. Public accounting firms and several other\n           commercial organizations market risk assessment software programs that help\n           audit organizations gather information and identify potential high-risk audit areas.\n           Some software programs include:*\n\n                       \xe2\x80\xa2   Audit Leverage by IAD Solutions,\n\n                       \xe2\x80\xa2   Auditor Assistant by Norstan Consulting,\n\n                       \xe2\x80\xa2   Auto Audit by Paisley Consulting Inc., and\n\n                       \xe2\x80\xa2   Teammate (TeamRisk) by PriceWaterhouseCoopers.\n\n                   These software programs provide organizations with an opportunity to\n           perform risk assessments using automated software that will also support the\n           entire audit lifecycle such as project management, automated work paper files,\n           audit followup, and other functions. The software provides an organization with\n           the overall framework for completing risk assessments while allowing the\n           software programs to be modified to meet specific needs of the organization. It is\n           important to note that this software may be especially helpful to organizations that\n           do not have established risk assessment procedures or are currently reorganizing\n           their audit functions to meet a change in mission. Specific details on how the\n           software programs operate should be requested from the developer. We did not\n           attempt to evaluate the effectiveness of these software programs. We are only\n           providing this as information on resources available for organizations that are\n           seeking commercially available programs to improve their audit risk assessment\n           processes and procedures.\n\n           Summary. The risk assessment resources available to auditors are numerous.\n           Many organizations have been conducting risk assessment procedures using\n           similar methods for years. However, their procedures may not be formally\n           documented as a risk assessment procedure. When the audit requirements of an\n           organization are similar or mandated by statute, it is beneficial to develop and\n           maintain a library of risk assessment documents or tools to be used for audit\n           planning and during future audits. The above information and examples are just a\n           few of the methods used by audit organizations. Of course, there are many other\n           organizations with established formal methods. Appendix C provides a listing of\n\n*\n    Reference to the listed software and the software development companies does not represent a\n    recommendation or endorsement by the Inspector General of the Department of Defense.\n\n\n                                                       8\n\x0c     some available resources where auditors can research current trends and issues\n     relating to risk assessment methodologies and links to access their web site.\n\nRisk Assessments Tools for Audit Projects\n     Micro or specific audit risk assessments occur during actual audit projects. An\n     audit team is responsible for developing audit steps that will identify the high-risk\n     areas specific to the objectives and goals of the particular audit project.\n     Generally audit organizations develop assessment tools to assist the audit teams in\n     determining the overall level of risk associated with the audit. The assessment\n     tools address the objective of the audit and help to identify high-risk issues within\n     a defined area or function. By determining the levels of risk associated with a\n     particular audit, the audit manager is able to allocate sufficient resources to the\n     high-risk areas.\n\n     Risk assessment tools can be simple worksheets developed to rank internal\n     controls or they can be complex computer software programs that identify\n     vulnerabilities within a computer system or network. In either case, the\n     assessment is a planned review of some portion or segment of the overall audit\n     objective. It is important that risk assessments specific to the audit objective be\n     completed during the survey phase and again, if necessary, early during the audit\n     phase. The results of the risk assessment will then allow the auditors to focus on\n     the areas needing the most attention.\n\n     Many micro risk assessment procedures or tools are developed while completing\n     audits that are similar in nature. For example, the American Institute of Certified\n     Public Accountants (AICPA) has guides available to help auditors in specific\n     industries such as gambling, utilities, or health care. Companies have developed\n     system or network scanning software that can be commercially purchased and\n     used by information system auditors. The following discussion provides some\n     examples of the tools developed during audits that assist auditors in assessing\n     high-risk areas on specific projects.\n\n             Professional Organizations. The AICPA and the Institute of Internal\n     Auditors (IIA) provide many useful tools to help auditors conduct risk-based audit\n     procedures and apply risk assessment methods during actual audit projects. The\n     AICPA provides guides related to specific industries, as previously discussed.\n     For example, the AICPA resource online library contains auditing literature on\n     standards, technical practice aids, reporting trends, and guidance. The library\n     contains current audit risk alerts for specific industries and organizations. The\n     IIA also makes resources available online. The IIA provides guidance by issuing\n     practice advisories or guidelines. There are specific practice advisories\n     addressing risk assessment engagement planning, guides to help link the audit\n     plan to identified risks and exposures, and information about the internal audit\xe2\x80\x99s\n     role in the risk management process. These products are available online through\n     AICPA and IIA membership subscriptions.\n\n             General Accounting Office. The GAO provides audit organizations with\n     useful audit planning information by issuing periodic executive guidance. For\n     example, in a May 1998 executive guide \xe2\x80\x9cInformation Security Management:\n\n\n\n                                           9\n\x0c    Learning From Leading Organizations,\xe2\x80\x9d and its November 1999 supplement, the\n    GAO discusses risk assessments and risk management. In its guidance, GAO\n    provides the basic elements generally included in all risk assessments. GAO\n    points out how it is necessary for organizations to reassess the controls that were\n    implemented to mitigate perceived risks that have changed over time. In their\n    November 1999 supplemental guidance, GAO provided a Risk Assessment\n    Matrix and a Risk Assessment Table that were developed as useful tools to help\n    the auditor assess information system risk. The risk assessment matrix was\n    developed for use during information security audits. Appendix D is a copy of\n    the matrix, which provides examples of the areas of vulnerability and the\n    associated risk of loss. The matrix is another example of how organizations\n    would benefit from tools that assist audit teams in assessing risks associated\n    within similar types of audits.\n\n            Army Audit Agency. AAA developed risk assessment worksheets for\n    computer system and installation management audit projects. For example, a\n    scorecard assessment was developed to help auditors identify the technical,\n    resource, and time risks associated with computer systems that would impact the\n    Army\xe2\x80\x99s mission during the audits of year 2000 systems. For the installation\n    management functional area, an assessment worksheet was developed that\n    identifies high-risk activities based on financial results reported by golf courses\n    operated by the Army. By ranking the reported financial results, the audit team\n    identified golf courses that may potentially have a higher level of risk of internal\n    control problems or other management issues.\n\n            Air Force Audit Agency. AFAA sought commercially developed\n    software programs to help them assess network security and reliability at Air\n    Force bases. These audits used scanning software to test base network security\n    and make recommendations to commanders. AFAA also developed standard\n    work paper guides to complete audit requirements of the Air Force Working\n    Capital Fund financial statement audits. These guides provided audit teams with\n    an established form of required steps or procedures necessary to complete their\n    assigned audit area. Whether developed in-house or sought commercially, audit\n    organizations would benefit from establishing a library of risk assessment tools\n    for use by audit teams that conduct routine or similar audits.\n\nConclusion\n    To accomplish their audit mission, DoD audit organizations must conduct risk\n    assessments by following standards issued by GAO, OMB, and other professional\n    auditing organizations. These standards require assessment of control risk,\n    internal controls, and adequate planning. However, audit organizations also need\n    to develop additional procedures for specific projects. Auditors conduct risk\n    assessments almost daily as a normal aspect of the their job. When auditors\n    exercise judgment, an important part of auditing, they are conducting \xe2\x80\x9cmini\xe2\x80\x9d risk\n    assessments to reach a decision. Auditors weigh known factors and use past\n    experiences to decide a particular issue. The issue may be as different as what\n    audit site to visit or the size of an audit sample. Auditors have many formal and\n    informal resources available to them to help accomplish risk assessments. Audit\n    organizations would benefit from the establishment of proven methods that assist\n    audit managers in aligning resources to the high-risk areas. Additionally, audit\n\n                                         10\n\x0cteams would equally benefit from documenting and maintaining proven\nprocedures that can be easily modified to assess risks associated with specific\nprojects. Worksheets, matrixes, guides, or other assessment tools should be\ndeveloped, archived, and shared by audit agencies for specific functional areas or\naudit projects. By making available these proven tools, an organization will help\nto ensure that the audit team is adequately assessing the project\xe2\x80\x99s risk areas and\nfocusing on the high-risk areas instead of the low-risk areas.\n\n\n\n\n                                    11\n\x0cAppendix A. Project Process\n   Scope and Methodology. The project objective was to provide the DoD audit\n   community with information relating to risk assessment methodologies and\n   identify procedures and useful resources. We gathered data from the DoD\n   Service audit agencies, the Defense Contract Audit Agency, the General\n   Accounting Office, and other organizations. Additional research was conducted\n   through the Internet accessing professional accounting and auditing organizations.\n   We did not attempt to review the adequacy of risk assessment procedures at the\n   organizations we contacted. We collected overall and specific audit planning\n   methods that organizations have developed and found to be useful.\n\n   Contacts During the Project. We visited or contacted DoD audit organizations,\n   other Federal audit organizations, and state and local audit organizations. Further\n   details are available upon request.\n\n\n\n\n                                       12\n\x0cAppendix B. Description of Risk Assessment\n            Factors\nAudit History/Prior Coverage. No audit history, the length of time between audits, the\nresults of prior audits, and the management actions taken are all risk indicators that\nshould be measured to decide the level of risk associated with the project.\n\nDegree of Decentralization. The degree of management or functional decentralization\nwill increase the risk factor rating. For example, if a disbursing function takes place at\nmany locations, the level of risk is higher than that of a centrally controlled disbursing\nfunction.\n\nDollar Value/ Resources Used. The dollar value, volume of transactions, number of\nemployees involved, asset values, or use of resources will affect the risk rating.\n\nEmployee Competence. An assessment of the matching of employee\xe2\x80\x99s knowledge,\nskills, and abilities to the requirements for job performance will affect the level of risk\nassociated with a project.\n\nEmployee Turnover/Growth. High employee turnover or a large increase or decrease\nin the number of employees in an area may indicate potential problems and, therefore,\naffect the risk rating.\n\nFraud, Waste and Abuse. The vulnerability of the audit subject to fraud, waste, and\nabuse. For example, those activities having assets that could be easily converted to cash\nor personal use would receive a high-risk rating.\n\nInternal/Management Controls. The project entity\xe2\x80\x99s management self-evaluation\naffects the risk rating. Also, past experience on management control programs of the\nsubject and at the potential project entity will impact the risk rating. Limited or no\ncontrols will be rated as high risk, adequate controls or no past experience will be rated\nas medium risk, and significant controls will be rated as low risk.\n\nMission/Goals. Audit projects that directly affect an organization\xe2\x80\x99s ability to complete\nits mission or accomplish its goals, such as weapon system performance, would be rated\nas high risk. Projects that indirectly affect the mission or goals, such as computer or\ncommunication networks, would be rated as medium risk. Projects that have no direct\naffect, such as billeting or club operations would be rated as low risk.\n\nOrganizational Changes. Changes in an entity\xe2\x80\x99s mission, structure, staffing levels, or\nfinancial results are all indications that may affect rating level.\n\nOutside Concern/Sensitivity. The sensitivity of the project to outside criticism or\nadverse public opinion increases the risk factor rating. For example, environmental\nsafety is of great concern to communities around military installations.\n\nPublic Law. Projects required by public law will automatically be rated as high risk.\n\nRequested/Suggested Audits. An audit requested or suggested by Congress or senior\nmanagement will normally receive a high-risk rating.\n\n\n                                             13\n\x0cAppendix C. Risk Assessment Resources and\n            Contact Points\nThe inclusion of an organization does not represent an IG DoD recommendation,\nendorsement, or agreement with the information offered by the organization. The\nfollowing list of resources is provided for information purposes only.\n\nOrganization Name           Description of Resource       Resource Web site At\nAir Force Audit Agency      Web site providing               www.afaa.hq.af.mil\n                            information and guidance on\n                            the audit process\n\nAmerican Institute of       Professional organization           www.aicpa.org\nCertified Public            web site providing                       or\nAccountants                 accounting and auditing            www.cpa2biz.com\n                            guidance and products\nArmy Audit Agency           Web site providing             www.hqda.army.mil/AAA\n                            information and guidance on            WEB\n                            the audit process\n\nDefense Contract Audit      Web site providing general           www.dcaa.mil\nAgency                      audit guidance and\n                            information on the audit\n                            process\nGeneral Accounting Office   Governmental guidance and            www.gao.gov\n                            related resources\n\n\nInstitute of Internal       Professional organization           www.theiia.org\nAuditors                    providing auditing and\n                            consulting guidance and\n                            products\nNaval Audit Service         Web site providing              www.hq.navy.mil/Naval\n                            information and guidance on            Audit\n                            the audit process\n\nOffice of Audit Services,   Governmental agency web            www.oig.hhs.gov\nInspector General,          site providing tools for\nDepartment of Health and    conducting audits and\nHuman Services              preparing reports\n\n\n\n\n                                         14\n\x0cOffice of Management and     Governmental guidance and       www.whitehouse.gov/omb\nBudget                       related resources\n\n\nState of Ohio Auditor\xe2\x80\x99s      State governmental agency         www.auditor.state.oh.us\nOffice                       providing audit information\n                             for state and local\n                             government audits\n\nAdditional Contact Points\n\nThe following contact points are provided for organizations that would like to obtain\nadditional risk assessment procedures information.\n\nDefense Contract Audit Agency\nHeadquarters, Policy and Plans\nQuality Assurance Division\n(703) 767-2250\ndcaa-pqa@dcaa.mil\n\nNaval Audit Service\nEnvironmental Risk Assessment\n      Joan Hughes\n      (202) 433-5551\nHughes.Joan@hq.navy.mil\n\nAcquisition and Logistics Risk Assessment\n       Randy Exley\n       (202) 433-6260\nExley.Randy@hq.navy.mil\n\nMacro Risk Assessment\n      Vinnie D\xe2\x80\x99Orazio\n      (202) 433-6874\n      Dorazio.Vinnie@hq.navy.mil\n\n\n\n\n                                            15\n\x0cAppendix D. Example of Risk Assessment Tool\nThe GAO developed this risk assessment matrix for information security audits. It\nprovides a good example of a tool that can be used on similar audits or modified as\nneeded.\n\n\n\n\n                                           16\n\x0cAppendix E. Report Distribution\n\nDepartment of the Army\nAuditor General, Department of the Army\nChief, National Guard Bureau\n  Internal Review Office\n\nDepartment of the Navy\nAuditor General, Department of the Navy\nChief of Naval Education and Training\n   Command Evaluation Officer\nHeadquarters, U. S. Marine Corps, Nonappropriated Fund Audit Service\nDirector, Office of Internal Audit, Navy Exchange Service Command\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nDefense Agencies\nDirector, Defense Commissary Agency\n   Internal Review Office\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\n   Internal Review Office\nDirector, Defense Finance and Accounting Service\nDirector, Defense Logistics Agency\n   Internal Review Office\nDirector, Missile Defense Agency\n   Internal Review Office\nInspector General, Defense Information Systems Agency\nInspector General, Defense Intelligence Agency\nInspector General, National Imagery and Mapping Agency\nInspector General, National Reconnaissance Office\nInspector General, National Security Agency\nInspector General, Special Operations Command\n\nOther Defense Agencies\nDirector, Audits Division, Army and Air Force Exchange Service\n\n\n\n\n                                          17\n\x0cTeam Members\nThe Deputy Assistant Inspector General for Audit Policy and Oversight, Office of the\nAssistant Inspector General for Auditing, DoD, prepared this report. Personnel of the\nOffice of the Inspector General of the Department of Defense, who contributed to the\nreport, are listed below.\n\nPatricia A. Brannin\nWayne C. Berry\nEdward A. Blair\nKrista S. Gordon\n\x0c"